Web feature developers told to dial up attention on privacy and security

Web feature developers are being warned to step up attention to privacy and security as they design contributions.

Writing in a blog post about “evolving threats” to Internet users’ privacy and security, the W3C standards body’s technical architecture group (TAG) and Privacy Interest Group (PING) set out a series of revisions to the W3C’s Security and Privacy Questionnaire for web feature developers.

The questionnaire itself is not new. But the latest updates place greater emphasis on the need for contributors to assess and mitigate privacy impacts, with developers warned that “features may not be implemented if risks are found impossible or unsatisfactorily mitigated”.

In the blog post, independent researcher Lukasz Olejnik, currently serving as an invited expert at the W3C TAG; and Apple’s Jason Novak, representing the PING, write that the intent with the update is to make it “clear that feature developers should consider security and privacy early in the feature’s lifecycle” [emphasis theirs].

“The TAG will be carefully considering the security and privacy of a feature in their design reviews,” they further warn, adding: “A security and privacy considerations section of a specification is more than answers to the questionnaire.”

Security & privacy to be considered early in the web/browser feature’s lifecycle. New high level type of threat "legitimate misuse": just because something is technically possible does not mean it was designed for abuse and it is OK to do so

The revisions to the questionnaire include updates to the threat model and specific threats a specification author should consider — including a new high level type of threat dubbed “legitimate misuse“, where the document stipulates that: “When designing a specification with security and privacy in mind, all both use and misuse cases should be in scope.”

“Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term,” they write. “As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it).”

“Features should be secure and private by default and issues mitigated in their design,” they further emphasize. “User agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy.”

The pair also urge specification authors to avoid blanket treatment of first and third parties, suggesting: “Specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.”

The revisions to the questionnaire come at a time when browser makers are dialling up their response to privacy threats — encouraged by rising public awareness of the risks posed by data leaks, as well as increased regulatory action on data protection.

Last month the open source WebKit browser engine (which underpins Apple’s Safari browser) announced a new tracking prevention policy that takes the strictest line yet on background and cross-site tracking, saying it would treat attempts to circumvent the policy as akin to hacking — essentially putting privacy protection on a par with security.

Earlier this month Mozilla also pushed out an update to its Firefox browser that enables an anti-tracking cookie feature across the board, for existing users too — demoting third party cookies to default junk.

Even Google’s Chrome browser has made some tentative steps towards enhancing privacy — announcing changes to how it handles cookies earlier this year. Though the adtech giant has studiously avoided flipping on privacy by default in Chrome where third party tracking cookies are concerned, leading to accusations that the move is mostly privacy-washing.

More recently Google announced a long term plan to involve its Chromium browser engine in developing a new open standard for privacy — sparking concerns it’s trying to both kick the can on privacy protection and muddy the waters by shaping and pushing self-interested definitions which align with its core data-mining business interests.

There’s more activity to consider too. Earlier this year another data-mining adtech giant, Facebook, made its first major API contribution to Google’s Chrome browser — which it also brought to the W3C Performance Working Group.

Facebook does not have its own browser, of course. Which means that authoring contributions to web technologies offers the company an alternative conduit to try to influence Internet architecture in its favor.

The W3C TAG’s latest move to focus minds on privacy and security by default is timely.

It chimes with a wider industry shift towards pro-actively defending user data, and should rule out any rubberstamping of tech giants contributions to Internet architecture which is obviously a good thing. Scrutiny remains the best defence against self-interest.

Everyone has been in situations when cash was needed urgently. If you need some coins but have principle position don’t visit banks, we advise paying attention to financial organizations on the web. Today payday loans online in the California are very celebrated. A lot of young men use them and they are very satisfied.

If you wish to take payday loans online, you must take some actions. First of all, you need to choose between websites, where you will use a payday loan. One of the demanded – maybeloan.com, where you can solve your difficulties. If you have any business ideas, but you need the money, you can visit the link and take [url=https://maybeloan.com/payday-loans/hi]payday loans in HI[/url] . It is possible to get money at a different time. There some guys, who are working in different regions. You can obtain cash even on Sunday. If some banks don’t work at the weekend, but you desire cash, it is the best way to get money at this company.

However, necessary to understand, that a lot of guys from diverse cities don’t have the opportunity to receive coins in banks. In the USA there are a lot of banking houses, but any of them decide to provide a loan for a person who meets their expectation. If you desire to receive payday loans in Illinois, you should visit the website. There are a lot of options, which can use people, who will visit the website. It is possible to have cash for different aims. If you want to receive cash in the bank, but your age is not true, better to visit financial organization.

At maybeloan.com you can search the best conditions than in other organizations. A lot of young men all over the U.S. don’t have any options, that give the probability to obtain credit in the bank. If you need money for a new thing or flat repair, you should visit this organization. Today some guys not sure about some banking houses. If you don’t trust the firm, in which you want to obtain cash, you must use services other institution. At maybeloan organization, you can receive loan 24/7 – [url=https://maybeloan.com/payday-loans/nh]https://maybeloan.com/payday-loans/nh[/url] . A lot of women are very thankful organization, that it helps them.

You can obtain payday loans in AK. If you don’t know, where to receive cash in Maine, you can visit link and receive payday loans in Maine.

If you are worried about some fees, you mustn’t think about it. You must to know, that in this firm working nice staff. You can receive a useful payment option, despite where are you leaving. It is probable to receive money for a different wallet. It can be a Visa or MasterCard wallet. It is really to receive cash for a different digital wallet. Also, it can be PayPal system or another one. No extra money, any hidden payments. You should know, that in maybeloan company it is possible to obtain an amount of any size. If you will have any questions, it is possible to call for the contact center.